vBulletin Redirect Exploit

jerde

Participant
Joined
Mar 14, 2013
Messages
68
The thread was originally posted in the licensed members forum, and then was redirected to another forum. So most likely yet another bug on vB5 that is prohibiting anyone from accessing it.
 

ainwood

Neophyte
Joined
Jan 2, 2011
Messages
2
We're having a problem where some people trying to access our site from a search engine or from a notification email are getting the vbulletin error page with an error like this:

Unable to add cookies, header already sent.
File: /usr/local/etc/httpd/path-to-forum/includes/init.php(298) : eval()'d code
Line: 156

People visiting from typing the forum url to the search bar are unaffected. Is it likely that this exploit is a cause of this?
 

doubt

Tazmanian
Joined
Feb 25, 2013
Messages
4,870
Unable to add cookies, header already sent.
File: /usr/local/etc/httpd/path-to-forum/includes/init.php(298) : eval()'d code
Line: 156

Remove or improve the modification which is causing this.
 

BirdOPrey5

#Awesome
Joined
Aug 14, 2008
Messages
4,218
We're having a problem where some people trying to access our site from a search engine or from a notification email are getting the vbulletin error page with an error like this:



People visiting from typing the forum url to the search bar are unaffected. Is it likely that this exploit is a cause of this?

Open your init.php file in a text editor, go to line 298. There should be a line code code telling you the name of the hook that is there.

Then go to your Admin CP -> Plugins & Products -> Plugin Manager and look for all plugins that are on that specific hook.

The problem is due to one of these plugins. Take note of which modifications and disable each modification until the problem goes away.

Hopefully you can determine some way of replicating the issue on demand so you can test it yourself.
 

ainwood

Neophyte
Joined
Jan 2, 2011
Messages
2
Thanks. Managed to track it down I think. Malware injection in a plugin that tried to execute a .js script. I had deleted the .js a few days ago, but was struggling to see where it was being called from. it uses base64_decode. Is there any reason why I shouldn't just disable that php function?
 

BirdOPrey5

#Awesome
Joined
Aug 14, 2008
Messages
4,218
vBulletin has its own function vb_base64_decode() in the functions.php file- it tries to use the PHP base64_decode() function but it doesn't find it, it has its own version to run- so I *think* you can disable the function and the main forum software should work, but I've never tried it.

Please note- the Panjo plugin in 4.2.2 will not work with base64_decode() disabled and a small number of 3rd party plugins may also break. I know DigitalPoint uses it in some mods to encode small images right in the plugin rather than have you upload images with the mod.

I think i will add to JIRA for Panjo to use the vb function rather than the standard base64_decode().
 

BirdOPrey5

#Awesome
Joined
Aug 14, 2008
Messages
4,218
The exploit that started this thread was in Yahoo YUI libraries 2.8.x and below. VB 4.2.2 uses YUi 2.9.0 so it has been fixed- I don't recall when they updated to 2.9.0 locally- it could have been a year ago, maybe more, maybe less- either way it was already fixed.
 

BirdOPrey5

#Awesome
Joined
Aug 14, 2008
Messages
4,218
ok so an exploit 1st reported in 2010 was fixed in 2014? awesome

You are mistaken good sir. Your conclusion cannot be drawn from my statement. It may have been fixed at anytime between when it was reported and yesterday- I honestly have no idea.
 

mrbill

Enthusiast
Joined
Feb 1, 2012
Messages
150
Just made the change to my vb4 site. And, that's why I like it here. Thanks much.
 

ozzy47

Tazmanian Master
Joined
Oct 18, 2013
Messages
8,989
Huh, this was patched in 2011, and you are now making the change?
 

Rastus

Aspirant
Joined
Mar 11, 2005
Messages
14
ok so an exploit 1st reported in 2010 was fixed in 2014? awesome

as an FYI ... (resurrecting from the dead since I am still looking for a permanent resolution to this )

It still has not been fixed. Its as rampant as ever. I'm on VB 4.2.3 and running the C4H fix from VB.org and I still get infected. if it was not so cost prohibitive and labor intensive to migrate away from Vbulletin. ( for me ) I would happily move to a different platform.

my 2 cents
 
Top